Olivier BILHAUT
2022-Jul-20 11:19 UTC
[Samba] Issue with FAST implementation ? Disabling really disable ?
Hi list, Juste migrating from samba 4.14 to samba 4.16.3. Most works fine and thanks again for this great work. However I have an issue with a smbclient run locally which seems to fail due to a FAST issue. The command is run from the DC itself : -- $> /USR/LOCAL/SAMBA/BIN/SMBCLIENT \\\\DOMAIN.TLD\\NETLOGON -UDOMAIN/ACCOUNT -PPASS gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): FAST fast response is missing FX-FAST (cifs/DOMAIN.TLD at LOCAL)](2529639059) gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/domain.tld failed (next[(null)]): NT_STATUS_LOGON_FAILURE session setup failed: NT_STATUS_LOGON_FAILURE -- I have tried to disable FAST with " kdc enable fast = no" (and restart) as I have seen in release note, but now way. Any advice ? Have a nice day ! -- Olivier B
L. van Belle
2022-Jul-20 12:26 UTC
[Samba] Issue with FAST implementation ? Disabling really disable ?
Try kdc enable fast = no in smb.conf Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba <samba-bounces at lists.samba.org> Namens Olivier BILHAUT via > samba > Verzonden: woensdag 20 juli 2022 13:19 > Aan: samba <samba at lists.samba.org> > Onderwerp: [Samba] Issue with FAST implementation ? Disabling really > disable ? > > Hi list, > > Juste migrating from samba 4.14 to samba 4.16.3. Most works fine andthanks> again for this great work. > > However I have an issue > with a smbclient run locally which seems to fail due to a FAST issue. > The command is run from the DC itself : > > -- > > $> > /USR/LOCAL/SAMBA/BIN/SMBCLIENT \\\\DOMAIN.TLD\\NETLOGON - > UDOMAIN/ACCOUNT -PPASS > > gse_get_client_auth_token: gss_init_sec_context failed with [ > Miscellaneous failure (see text): FAST fast response is missing FX-FAST > (cifs/DOMAIN.TLD at LOCAL)](2529639059) > gensec_spnego_client_negTokenInit_step: > gse_krb5: creating NEG_TOKEN_INIT for cifs/domain.tld failed > (next[(null)]): NT_STATUS_LOGON_FAILURE > session setup failed: > NT_STATUS_LOGON_FAILURE > > -- > > I have tried to disable FAST with " kdc > enable fast = no" (and restart) as I have seen in release note, but nowway.> > Any advice ? > > Have a nice day ! > > -- > > Olivier B > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2022-Jul-20 13:03 UTC
[Samba] Issue with FAST implementation ? Disabling really disable ?
On Wed, 2022-07-20 at 13:19 +0200, Olivier BILHAUT via samba wrote:> Hi list, > > Juste migrating from samba 4.14 to samba 4.16.3. Most works > fine and thanks again for this great work. > > However I have an issue > with a smbclient run locally which seems to fail due to a FAST issue. > The command is run from the DC itself : > > -- > > $> > /USR/LOCAL/SAMBA/BIN/SMBCLIENT \\\\DOMAIN.TLD\\NETLOGON > -UDOMAIN/ACCOUNT > -PPASSI know it can get frustrating when something doesn't work, but shouting at your DC isn't going to help :-D Have you tried replacing 'DOMAIN.TLD' with the DC's short hostname ? Are you aware that 'P' is the machine pass ? Try replacing '-PPASS' with '--password=PASS' Rowland
Andrew Bartlett
2022-Jul-20 20:09 UTC
[Samba] Issue with FAST implementation ? Disabling really disable ?
On Wed, 2022-07-20 at 13:19 +0200, Olivier BILHAUT via samba wrote:> Hi list, > Juste migrating from samba 4.14 to samba 4.16.3. Most worksfine and > thanks again for this great work. > However I have an issuewith a smbclient run locally which seems to > fail due to a FAST issue.Until you said this:> The command is run from the DC itself : > gse_get_client_auth_token: gss_init_sec_context failed with > [Miscellaneous failure (see text): FAST fast response is missing FX- > FAST(cifs/DOMAIN.TLD at LOCAL)](2529639059)gensec_spnego_client_negToken > Init_step:gse_krb5: creating NEG_TOKEN_INIT for cifs/domain.tld > failed(next[(null)]): NT_STATUS_LOGON_FAILUREsession setup > failed:NT_STATUS_LOGON_FAILUREI was going to say that this is almost certainly clock skew. I saw the same and got very confused until I fixed the clocks. But the same sort of still applies, this isn't really about FAST, it is another error that is being over-written by the FAST failure because the error packet doesn't offer FAST. That is also why turning it off on the KDC isn't helping, because this is the client hoping for FAST. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open SourceSolutions